details: https://hg.nginx.org/njs/rev/700f267bd903
branches:
changeset: 2061:700f267bd903
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Wed Mar 01 21:38:09 2023 -0800
description:
XML: removed XML_PARSE_DTDVALID during a document parsing.

When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external
entities present inside an xml document. This can lead to all the
classic XXE exploits, including SSRF and local file disclosure.

The issue was introduced in 99b9f83e4d4d (0.7.10).

Thanks to @BitK_.

diffstat:

external/njs_xml_module.c | 3 +--
test/xml/external_entity_ignored.t.js | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)

diffs (35 lines):

diff -r 7197f860de2f -r 700f267bd903 external/njs_xml_module.c
--- a/external/njs_xml_module.c Tue Feb 28 20:34:38 2023 -0800
+++ b/external/njs_xml_module.c Wed Mar 01 21:38:09 2023 -0800
@@ -432,8 +432,7 @@ njs_xml_ext_parse(njs_vm_t *vm, njs_valu
}

tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length,
- NULL, NULL, XML_PARSE_DTDVALID
- | XML_PARSE_NOWARNING
+ NULL, NULL, XML_PARSE_NOWARNING
| XML_PARSE_NOERROR);
if (njs_slow_path(tree->doc == NULL)) {
njs_xml_error(vm, tree, "failed to parse XML");
diff -r 7197f860de2f -r 700f267bd903 test/xml/external_entity_ignored.t.js
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/xml/external_entity_ignored.t.js Wed Mar 01 21:38:09 2023 -0800
@@ -0,0 +1,18 @@
+/*---
+includes: [compatXml.js, compatNjs.js]
+flags: []
+paths: []
+---*/
+
+let data = `<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY c PUBLIC "bar" "extern_entity.txt">
+]>
+<root>&c;</root>
+`;
+
+if (has_njs()) {
+ const xml = require('xml');
+ let doc = xml.parse(data);
+ assert.sameValue(doc.$root.$text, "");
+}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel